[Home] [Databases] [WorldLII] [Search] [Feedback] EPIC --- Privacy and Human Rights Report

EPIC --- Privacy and Human Rights Report 2006

Colombia

Constitutional Privacy Framework

The Colombian Constitution protects the right to privacy as a fundamental human right.[1819] Article 15 provides that:

• Every individual has the right to personal and family privacy, and to his or her good name (buen nombre), while the State will respect them and must ensure they are respected. Similarly, individuals have the right to know, update, and rectify information gathered about them in data banks and in the records of public and private entities. Freedom and the other guarantees established by the Constitution will be respected in the collection, processing, and transfer of data.
• Correspondence and other forms of private communications are inviolable. They may only be intercepted or recorded pursuant to a court order and to formalities established by law.
• For tax or legal purposes, and for cases of inspection, supervision, and state intervention, the disclosure of accounting records and other private documents may be required within the limits provided by law.
  

Article 28 provides that "No one may be bothered in his person or family, sent to jail or arrested, nor may his home be searched, except pursuant to a written judicial order and to the law, and for reasons previously established by law."

The Court has recognized the right to privacy as a fundamental human right. It interprets this right as "protective of the private sphere of an individual and his family information that should not be transmitted to third parties, nor disclosed or published."[1820] The Constitutional Court has identified, on general terms, certain acts that are considered as part of private life by most people, by describing a wide range of facts, situations and phenomenons that an individual can usually protect from the knowledge of other people.[1821]

Statutory Rules Related to Privacy

There is no comprehensive data protection legal framework for the private sector despite some congressional activity on data protection since 1986 with a view to having a full range of legislation that is compatible with constitutional and international data protection principles. Sectoral laws include protections for medical records[1822] and the inviolability of correspondence and other forms of private communications.[1823] The Criminal Code[1824] establishes penalties for the following offenses: the illicit violation of communications[1825] and the offer, sale or purchase of suitable instrument to intercept private communications.[1826]

The State must guarantee the inviolability, privacy and secrecy of communications.[1827] Additionally, it must ensure "individual and family privacy as a fundamental right of the individual, against any interference of telecommunications activities."[1828] Secrecy of communications, particularly regarding postal, telegraphic, and telephone communications, is guaranteed,[1829] except in cases provided by the law or the Constitution and after the issuance of a judicial order. Telecommunications operators, on the other hand, must adopt all security measures required to guarantee the inviolability of communications and of users' personal data. Secrecy of telecommunications extends to voice and data communications, as well as sound and image documents, and the publication, or unauthorized use, of the existence or content of communications.[1830]

Law No. 527 of 1999 defines and regulates the access and use of data messages, electronic commerce and digital signatures, and establishes certification entities. The certification entities must, among other things, guarantee the protection, confidentiality and proper use of the information provided by the subscriber.[1831]

Privacy Case Law

Habeas data[1832] is also included in the Constitution. From 1992, the Constitutional Court, through more than 140 rulings, has defined the characteristics and the scope of habeas data, as well as the conditions under which the processing of data must be carried out. It has ruled that personal data (any information relating to an identifiable person) collected from individuals must be processed fairly and lawfully; collected and processed for specified, explicit and legitimate purposes; adequate, relevant and not excessive in relation to the purposes for which they are collected or further processed; and individual consent must be obtained before, or at the time of collection, and whenever a new use is identified for the personal information. The data controller must not process any personal information in a way that has not been previously authorized; only collected to the extent necessary for the purposes identified; accurate and updated permanently; and kept in a form that permits identification of individuals for no longer that is necessary.[1833] In addition the data controller must provide customers with the right of access to such information, and the right to correct any inaccuracies in the data. Once collected, personal data may not be processed unless the customer has unambiguously given his or her consent.

About 85 percent of the Constitutional Court cases are related to complaints about the processing of data by financial companies (breach of contract cases). The other 15 percent are related to situations concerning, inter alia, the processing of health and social security data, as well as criminal records. In its rulings, the Court has incorporated guidelines contained in international documents issued by the United Nations and the European Union. A brief overview of some of the constitutional principles that must be observed throughout the processing of personal data follows:

a. Duties of the controller of personal data: Given the risks involved with the inadequate use of personal data, the Court has established that controllers of data banks have a constitutional duty to correctly manage the databases, and protect them and the personal data, or other socially relevant information, they hold,[1834 ]with the objective of preventing their alteration, loss, or unauthorized processing and access.[1835]

The Court has also prescribed those controllers to:

1. Abide by the constitutional rights of individuals during the collection, processing and transmission of data. As a result, data obtained, for instance through illegal means, shall not be incorporated into databases nor be transmitted. Likewise, the controller cannot include data pertaining to the individual's sphere of intimacy (esfera íntima);[1836]

2. Obtain consent from the data subject whose information is to be included in the database;[1837]

3. Inform the data subject of the insertion of his data in the bank;[1838]

4. Permanently keep the personal information up-to-date, without a request from the data subject, so as to ensure its integrity and accuracy;[1839]

5. Oversee that the information on the individual is complete, and that details or circumstances that could alter his good reputation are not disregarded;[1840]

6. Eliminate, without needing a request from the data subject, negative information that has expired;[1841]

7. Register true, unbiased, complete and sufficient information. In order to do so, extreme caution must be observed when inserting in a database that will be available to third parties, value judgments or personal appreciations about the data subject;[1842] and,

8. Compensate the damages caused by negligence or possible flaws in the processing and management of personal data.[1843]

b. The individual is considered as a title holder of his personal data: from its first ruling on the subject,[1844] the Court has made it clear that the individual, and not the controller of the database, owns his personal data. The citizen, as a titleholder of his personal data, is the bearer of legal rights and actions to claim from the controller, the loyal, legal and adequate processing of the information concerning him.

c. Principle of usefulness: This principle is established in order to restrict the possibility that personal data be recorded and stored without a legal purpose. This is why the Court has declared that "the collection, processing and transmission of personal data must be directed towards the accomplishment of a specific function, which is related to the satisfaction of a legitimate interest determined by the importance and utility of the information."[1845]

d. Consent: As a fundamental principle of the processing of personal data, the controller of the data bank must obtain consent from the data subject prior to the inclusion of the data in the database. If he fails to do so, the information must be immediately deleted.[1846]

e. Right of access, correction and update: The individual has the right to know the information relating to him that is stored in databases. The controller must guarantee that right. If the information is erroneous or incomplete, the individual can demand its amendment. According to the Constitutional Court, these rights comprise the citizen's ability to learn, immediately and completely, how, where and why there is information concerning him and, if the information is erroneous or incomplete, the individual can demand that the entity responsible for the system make the necessary amendments, clarifications or deletions, so as to preserve the fundamental rights that have been compromised.[1847]

f. Accuracy: Article 20 of the Constitution recognizes the right to inform and to receive "true and unbiased information." These conditions must be fulfilled in the processing of personal data. The information contained in a data bank must be permanently updated, and all the actions and circumstances related to the data must be included in the archive.[1848] The amendment to and updating of information must be primarily carried out by the controller.[1849]

g. Relevance and Purpose: The Court considers that data must be collected for a "constitutionally legitimate purpose."[1850] The Court has held that the principle of relevance implies that: "(i) the sole information that can be disclosed and solicited is that which is related to the functions, as attributed by law, of the soliciting institution . . . and that (ii) there must be a direct correlation between the required data and the subject matter that accounts for its collection."[1851 ]The principle of purpose, on the other hand, calls for the information solicited and disclosed to be "(i) strictly necessary to accomplish the purposes . . . and (ii) used solely for the purposes authorized by law."[1852]

h. Non-discrimination and sensitive data: As a complement to the principle of legality of data, the Court has declared that every piece of information must be collected with a constitutionally legitimate purpose, which means that "information on 'sensitive data' such as, sexual orientation, political views or religious dogma should not be collected, when such collection can lead, directly or indirectly, to a policy of discrimination and marginalization."[1853]

i. Inappropriate and illegitimate practices: The Court has held that the following acts and operations when processing personal data are inappropriate or illegitimate: the interconnection and indiscriminate disclosure of secret information or databases,[1854 ]the manipulation of information, the inclusion of incomplete data and the failure to update data.[1855]

j. Notification to the data subject of negative information, prior to its dissemination or disclosure to third parties: Whenever erroneous information is transmitted, the data subject will suffer damages and several of his human rights will be violated (for example, good reputation). The subsequent rectification of inaccurate information will not suffice to fully repair the damage caused with respect to the violated right. This is why the Court has stated that the individual has the right to amend erroneous information before it is published or transmitted.[1856]

k. Expiration of negative information: Ever since its first ruling on the subject,[1857] the Court has held that due to the data's own nature and relation to fundamental rights and liberties, they expire, they "cannot have the character of unmodified in nature,"[1858] and adverse data are not going to be perpetual[1859] or be kept indefinitely.[1860 ]

Unfortunately, there have been cases in which, despite the fact that the aforementioned period had passed, individuals remained registered in databases as defaulters.[1861]

Even with the adoption of legal rules and case law on data protection, violations of privacy remain a concern. Colombian legislation has not kept up with the technology, leaving big gaps in protection. Unlike some other countries, Colombia does not have law that directly tackles Internet privacy.

Despite the constitutional recognition of habeas data in Article 15 of the 1991 Constitution, there is no law that further regulates habeas data. Since 1986, several projects have been proposed to Congress but none of them has resulted in the enactment of a law. In the absence of legislation, the acción de tutela (the possibility of requesting in court the protection of a fundamental right) and the right of petition are the only tools a citizen can use to demand the respect of habeas data.[1862]

Legislative Responses to Terrorism

The Legislative Act No. 2 of 2003 modified certain articles of the Constitution in order to grant authorities powers to fight and prevent terrorism.[1863] The Act allows authorities:

• to intercept or register mail and other forms of private communications without a court warrant, but on serious grounds only, and upon immediate notification to the Procuraduría General de la Nación,[1864 ]and to be reviewed by a judge within the following 36 hours;
• to keep a register of the residence of every inhabitant on the Colombian territory;
• to conduct, without previous court order, arrests, raids and residence inspections, where there are serious motives related to the prevention of terrorist acts, but only upon immediate notification to the Procuraduría General de la Nación; and subject to a later review by a judge within the following 36 hours.
  

On December 10, 2003, the Senate passed a constitutional reform named "Anti-terrorism Act" containing provisions that would authorize government authorities to intercept private communications without judicial authorization in cases related to terrorism. This Constitutional reform provides that: "In order to prevent terrorist acts, a law will regulate the form and conditions in which the authorities it indicates can, based on serious reasons, intercept or examine the correspondence and other forms of private communication, without previous judicial order."[1865] According to Amnesty International, this constitutional reform undermines human rights.[1866]

In June 2004, the House of Representatives enacted legislation implementing the new constitutional reform. Article 4 of the anti-terrorism law allows the army, the police and the Administrative Department of Security (DAS) to carry out searches, tap telephones and intercept private correspondence without a judicial authorization in the case of persons suspected of terrorist links. Because the "anti-terrorism statute" involves a constitutional reform and the "anti-terrorism law" involves fundamental human rights, they must receive the endorsement of the Constitutional Court before becoming law. On August 30, 2004, the Constitutional Court declared this reform unconstitutional due to procedural irregularities during the approval of the law in Congress.[1867]

Wiretapping and Other Government Surveillance

Decree 75 of 2006 establishes that telecommunications wiretapping services are a national security measure for the investigation, detection, and prosecution of criminal offences.[1868] Telecommunications firms operating in Colombia must provide infrastructure for communications wiretapping in order to allow the Colombian Attorney General (Fiscal General de la Nación)[1869] and other competent authorities to perform interception activities according with the legal provisions and pursuant to judicial order. Accordingly, contractor agreements must include the obligation to prepare the necessary hardware and software to perform the interception. Once the interception is judicially authorized, the Telecommunications Service Operators must provide the Attorney General’s Office with all information concerning the geographic coordinates of the location of the terminal equipment subject to interception, as well as subscriber data, and the subject’s identity, invoicing address and type of connection.

An illegal police wiretapping operation against journalists, opposition figures and government members was discovered recently. The Government accepted responsibility for the situation and on May 14, 2007, they forced the Police Chief and the Head of Police Intelligence to retire. According to the Government, is not clear who ordered the illegal wiretaps, which individuals were monitored and who benefited from the interceptions. Minister of Defence Juan Manuel Santos said in a statement, "The procedure is totally unacceptable, illegal and contrary to the policy of the government." The statement did not specify whose phones had been tapped.[1870]

Open Government

Article 74 of the Constitution states that "Every person has a right to access public documents except in cases established by law." The main law regulating the access to public documents is Law No. 57 of July 5, 1985. Its Article 12, for example, grants every person the right to access and consult the documents that are held by the government, and to get a copy of them. However, people cannot consult or take a copy of documents that by law are considered exempted from disclosure (confidential information, medical records or documents that could have an impact on national security). The legal exemption is not effective 30 years after a document has been expedited. After that, the document acquires historical character and can be consulted by any citizen.[1871]

A key principle of the recent General Law of Public Archives[1872] is entitled "Administration and access." According to this law, the administration of public files is a duty of the State and a right of the citizens to get access to them.

International Obligations

Colombia signed the American Convention on Human Rights (the Pact of San Jose, Costa Rica) and the United Nations International Covenant on Civil and Political Rights. Colombia also ratified the Rome Statute of the International Criminal Court (ICC).

[1819] Constitution of Colombia, available at <http://www.presidencia.gov.co/constitu/actoslegis/02del2003.htm> (in Spanish).

[1820] Constitutional Court. Ruling C-872, September 30, 2003.
[1821] "When Article 15 of the Constitution establishes the right to personal and family privacy, it is obvious that it protects, in the first place, that which concerns the individual alone, such as his health, his sexual habits or preferences, his racial or family origin, his religious and political views. In addition, it protects the family orbit, what takes place within the family core and does not transcend the domestic sphere. Only under abnormal circumstances, and in order to return the situation back to normal, could the State, for instance, intervene, and the right to privacy must yield, temporarily, before a higher right." Constitutional Court, Ruling T-623, November 19, 1996.

[1822] Law No. 23 of 1981, available at <http://www.cpsr-peru.org/bdatos/colombia/privacidad/> (in Spanish).
[1823] Decree No. 229 of 1995, available at <http://www.cpsr-peru.org/bdatos/colombia/privacidad/>(in Spanish).
[1824] Law No. 599 of 2000, available at <http://www.secretariasenado.gov.co/leyes/L0599000.HTM> (in Spanish).
[1825] Article 192 of the Criminal Code provides that a person "who unlawfully removes, hides, misleads, destroys, intercepts, controls or cuts a private communication directed to another person, or illegally discover its contents, shall be punished with imprisonment of one to three years. If the author of that conduct reveals the content of the communication, or uses it for his own, or other people's benefit, or to cause damage to another, he or she shall be punished with imprisonment of two to four years." Law 599 issued in 2000, available at <http://www.cpsr-peru.org/bdatos/colombia/privacidad/> (in Spanish).
[1826] Article 193 of the Criminal Code provides that a person who, without permission of competent authority, offers, sells, or purchases suitable instruments to intercept private communications, shall be punished with a fine.

[1827] Article 8 of the Decree 1900 of 1990, available at <http://www.crt.gov.co/documentos/normatividad/decretos/DEC_1900_90.doc> (in Spanish).
[1828] See Article 9, Decree 1900 issued in 1990.
[1829] See Article 10, Decree 1900 issued in 1990.
[1830] See Article. 7.1.2 of Resolution 575 of 2002, of the Commission of Regulation of Telecommunications (Comisión de Regulación de Telecomunicaciones) (CRT).

[1831] Article 32 of Law No. 527 of 1999, available at <http://www.sic.gov.co/general.php?modulo=Normatividad/Leyes/Lista%20leyes> (in Spanish).

[1832] "Habeas data" is the right to know, update, and rectify information gathered about individuals in data banks and the records of public and private entities.
[1833] For more information about data protection in Colombia, see generally Nelson Remolina, Central of Information, Habeas Data and Data Protection: Advances, Challenges and Elements for its Regulation, in Internet and Telecommunications Law 358-437 (Legis 2003).

[1834 ]See Constitutional Court, Ruling T-227 (March 17, 2003).
[1835] See Constitutional Court, Rulings T-049 of 2004 and T-846 of 2004.

[1836] See the following rulings by the Constitutional Court: SU 082/95 and 089/95.

[1837] See Constitutional Court, Ruling No. T-615 of 1995.

[1838] See Constitutional Court, Ruling No. SU-089 of 95.

[1839] See, e.g., Constitutional Court, Rulings No. T-615 of 1995; T-096ª of 1995 and T-303 of 1998.

[1840] See Constitutional Court, Ruling No. T-086 of 1996 and T-199 of 1995.

[1841] See Constitutional Court, Ruling T-097 of 1995.

[1842] See Constitutional Court, Ruling No. T-307 of 1999.

[1843] See Constitutional Court, Ruling No. T-729 of 2002 and T-310 of 2003.

[1844] See Constitutional Court, Ruling No. T.414 of June 1992.

[1845] See Constitutional Court, Ruling No.C-185 of 2003.

[1846] See Constitutional Court, Ruling No. T-002 of 1993.

[1847] See, e.g., Constitutional Court, Rulings No. T-110 of 1993; T-303 of 1998 and T-321 of 2000. In Ruling T-309 of 1999, the Court stated that "the right to habeas data includes the right for every person to solicit and obtain, within a reasonable period of time, the amendment, insertion, limitation, cancellation, update or completion of the information that concerns him."

[1848] See the following rulings by the Constitutional Court: T-615 of 1995; T-176 of 1995; T-443 of 1994; T-094 of 1995; T-094 of 1995; SU-089 of 1995; T-443 of 1994; T-552/97; T-096 of 1995; T-086 of 1996; T-097 of 1995; T-414 of 191992; T-008 of 1993, T-022 of 1993 and T-060 of 1903.
[1849] See Constitutional Court's rulings No. SU 082 of 1995, SU-089 of 1995 and T-310 of 2003.

[1850] Constitutional Court, Ruling No. T-307 of 1999.
[1851 ]Constitutional Court, Ruling No. T-440 (May 29, 2003).
[1852] The same argument is contained in Ruling T-307 of 1999.

[1853] See Constitutional Court, Ruling No T-307/99.

[1854 ]Constitutional Court, T-729 of 2002.
[1855] Constitutional Court,T-814 of 2002.

[1856] See Constitutional Court, Ruling T-592 of 1903.

[1857] See Constitutional Court, T-414 of 1992.
[1858] Constitutional Court, Ruling T-303/98.
[1859] Constitutional Court, Rulings T-527 of 2000; T-856 of 2000 y T-268 of 2002, among others.
[1860 ]Constitutional Court, Rulings T-414 of 1992; T-110 of 1993, T-303 of 1998; T-729 of 2002, T-814 of 202 y T-060 of 2003, among others.

[1861] In one case, the fact that a woman had been late in her payments for seven months should have been kept only for 14 months according to the Court guidelines. She decided to file a complaint because the information was kept for longer than 48 months and the negative data had not been removed from the data bank. The Court found that the Banco de Occidente (Bank of the West) did not give Computec S.A. accurate information regarding the date when the citizen had paid her debt. Accordingly, the Court established that "such institutions are mandated to provide data banks with exact, complete and timely information, as well as any new circumstances concerning the data subject so as to allow data banks to register the individual's complete history in their records and transmit true and complete information. Overlooking such duties will affect the clients as well as the data banks," Sentence T- 814 (September 3, 2002.

[1862] In Colombia, if a person wishes to protect his fundamental rights with respect to the processing of personal data, she must first address the controller of the data bank and solicit the elimination, correction or amendment of the data. If the controller does not act upon the request, the citizen can turn to the judges and present an acción de tutela The judge must adjudicate within 10 days.

[1863] Legislative Act N° 2 of 2003 of December 18, 2003 (Acto Legislativo 02 de 2003 que modifica los artículos 15, 24, 28 y 250 de la Constitución Política de Colombia para enfrentar el terrorismo), available at <http://www.cpsr-peru.org/bdatos/colombia/privacidad/> (in Spanish).
[1864 ]An internal affairs agency, responsible for investigating reports of crimes or unlawful actions by government employees and recommending administrative sanctions such as suspensions, fines, and dismissals.

[1865] Constitutional Reform No. 2 of December 18, 2003.
[1866] "This measure is not only flouting the government's repeated commitments to the international community to act within the rule of law and respect human rights, but also failing Colombia's obligation to guarantee basic human rights standards." See Amnesty International, "Colombia - Constitutional Reform Undermines Human Rights," December 11, 2003. AI Index: AMR 23/077/2003 (Public). News Service No: 281, available at <http://www.amnesty.org> or <http://news.amnesty.org> and at <http://www.nationbynation.com/Columbia/Human.html>.

[1867] Sentencia C-818-04 sobre inexequibilidad del Acto Legislativo No. 02 de 2003 [Sentence related to the unconstitutionality of the Legislative Act], available at <http://www.cpsr-peru.org/bdatos/colombia/privacidad/> (in Spanish).

[1868] Decreto 75 de 2006 que define las Obligaciones que le Asisten a los Operadores de Servicios de Telecomunicaciones en Procura de Optimizar la Labor de Investigación de los Delitos por parte de las Autoridades Competentes [The Decree 75 of 2006 defines the Obligations of the Telecommunications Service Operators to Secure the Optimization of the Investigative Function in case of Crimes Performed by the Competent Authorities], available at <https://www.superservicios.gov.co/basedoc/decreto_nacional.shtml?x=58307> (in Spanish).
[1869] The Attorney General’s Office is the State organization in charge of, in coordination with the organizations with Judicial Police functions, dealing with the activities and processes related with the interception of telecommunications’ services. They are compelled to keep the secrecy of the data and the confidentiality of the information.

[1870] Muse, Toby. Shake-up in Colombia's Security Forces, Associated Press Writer. Miami Herald, May 15, 2007.
<http://www.miamiherald.com/915/story/106923.html>. See Crowe, Darcy, Colombia Admits Wiretapping Operation, The Associated Press, May 15, 2007, <http://news.findlaw.com/ap/i/630/05-15-2007/7b62002e6d653349.html>.

[1871] Articles 13 and 28 of Law No. 594 of July 4, 2000, available at <http://www.cpsr-peru.org/bdatos/colombia/privacidad/> (in Spanish).

[1872] Law No. 594 of July 4, 2000, available at <http://www.cpsr-peru.org/bdatos/colombia/privacidad/> (in Spanish).